แชร์ผ่าน


Master IT Pro Contest

Yesterday, I had the pleasure to be the host of the Master IT Pro contest !

The purpose of the contest was to “cook” a Powershell script that would achieve the following tasks :

•Provision 500 accounts in Active Directory that are users from the marketing department and 500 accounts that are users from the finance department

•Ensure that any documents on a share containing social security numbers will be encrypted and only users from the finance department can read it.

The participants had one hour to perform the task with some hints given during the competition :)

As for every script, there are several ways to achieve the given goal. here is one way, I’m always open to discussion looking for a better and faster approach to do it !

Automate the creation of the users :

For this part, I’ll explain you how to easily write a script. So in Windows Server 2012, we have added new cmdlet that allows you to managed AD objects. For example, we’ve added the “New-ADUser” that will create an AD object of the type “user”.
How to use it is easy, simply launch the “Active Directory Administrative Center” as showed in the screen capture bellow and make sure you click on “Powershell History” :

Powershell History

Using ADAC (Active Directoty Administrative Center), create here a test user and copy the powershell cmdlets to the ISE (Integrated Scripting Environment).

It is a very good start and will help you start building your script. Here is what I have when I create an account called '”test” in my environment.

New-ADUser -DisplayName:$username -GivenName:"test" -Name:"test" -Path:"OU=MasterIT,DC=masterit,DC=net" -SamAccountName:"test" -Server:"DC.masterit.net" -Type:"user"

Set-ADAccountControl -AccountNotDelegated:$false -AllowReversiblePasswordEncryption:$false -CannotChangePassword:$false -DoesNotRequirePreAuth:$false -Identity:"CN=test,OU=MasterIT,DC=masterit,DC=net" -PasswordNeverExpires:$false -Server:"DC.masterit.net" -UseDESKeyOnly:$false

Set-ADUser -ChangePasswordAtLogon:$true -Identity:"CN=test,OU=MasterIT,DC=masterit,DC=net" -Server:"DC.masterit.net" -SmartcardLogonRequired:$false

Once we have those basic steps, which you can modify as you like, for example adding some properties to the user and so on, we can start creating the loop that will create the 1000 users all-up.

Creating 1000 users and putting them in the right group:

You have two options here. The first one, that I used at the beginning is to actually create a loop that will create users with an increment in the name but some participants actually notified me that it is not very reusable and using a csv file as an entry is a better approach. I agree with them and here is how to do it :

First import the entries from the CSV file where you have the user list:

$users = import-csv -LiteralPath ".\users.csv" -Delimiter ","

Then we only need to go through each entry of the file. For that, the good thing is that the $users variable is a collection, so we can directly go through the objects of the collection.

foreach ($user in $users)

{ This is where my scrip will go }

 

Finally here is the script for the first part:

$users = import-csv -LiteralPath ".\users.csv" -Delimiter ","
foreach ($user in $users)
{
      New-ADUser -DisplayName:$username -GivenName:"test" -Name:"test" -Path:"OU=MasterIT,DC=masterit,DC=net" -SamAccountName:"test" -Server:"DC.masterit.net" -Type:"user"
Set-ADAccountControl -AccountNotDelegated:$false -AllowReversiblePasswordEncryption:$false -CannotChangePassword:$false -DoesNotRequirePreAuth:$false -Identity:"CN=test,OU=MasterIT,DC=masterit,DC=net" -PasswordNeverExpires:$false -Server:"DC.masterit.net" -UseDESKeyOnly:$false
Set-ADUser -ChangePasswordAtLogon:$true -Identity:"CN=test,OU=MasterIT,DC=masterit,DC=net" -Server:"DC.masterit.net" -SmartcardLogonRequired:$false

}

Of course, if you want, you can use new capabilities of Powershell 3.0 that includes running a workflow with some parallelism.

Deploy Right Management Services (RMS):

Basically the second step of the challenge is about automating the deployment of RMS and the configuration of File Server Resource Manager (FSRM).

Actually, for this step, I wanted to make it easy so I’ve relied on the existing sample that exist on TechNet :  https://technet.microsoft.com/en-us/library/hh831572.aspx

If you get all the code, here is what the script looks like :

Set-ADResourceProperty –Enabled:$true –Identity:"CN=Impact_MS,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=masterit,DC=net"
Set-ADResourceProperty –Enabled:$true –Identity:"CN=PII_MS,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=masterit,DC=net"

Update-FSRMClassificationPropertyDefinition
$date = Get-Date
$AutomaticClassificationScheduledTask = New-FsrmScheduledTask -Time $date -Weekly @(3, 2, 4, 5,1,6,0) -RunDuration 0;
Set-FsrmClassification -Continuous -schedule $AutomaticClassificationScheduledTas

New-FSRMClassificationRule -Name "High PII" -Description "Determines if the document has a high PII based on the presence of a Social Security Number." -Property "PII_MS" -PropertyValue "5000" -Namespace @("C:\MasterIT") -ClassificationMechanism "Content Classifier" -Parameters @("RegularExpressionEx=Min=1;Expr=^(?!000)([0-7]\d{2}|7([0-7]\d|7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}$") -ReevaluateProperty Overwrite

$fmjRmsEncryption = New-FSRMFmjAction -Type 'Rms' -RmsTemplate 'MasterIT'
$fmjCondition1 = New-FSRMFmjCondition -Property 'PII_MS' -Condition 'Equal' –Value '5000'
$date = get-date
$schedule = New-FsrmScheduledTask -Time $date -Weekly @('Sunday')
$fmj1=New-FSRMFileManagementJob -Name "High PII" -Description "Automatic RMS protection for high PII documents" -Namespace @('C:\MasterIT') -Action $fmjRmsEncryption -Schedule $schedule -Continuous -Condition @($fmjCondition1)

That’s it, you just need to add both scripts together and you’re good to go !

Conclusion

The purpose of the contest is less to compete than learn the language. I strongly believe that automation will be key in the near future for IT Pros. the ones that know how to automate repetitive tasks and processes in the datacenter will the ones that companies will look for. A recent study from IDC shows that there will be a lack of Cloud-Skilled IT Workers soon. so the better trained you are, the better it will be (https://www.microsoft.com/en-us/news/features/2012/dec12/12-19CloudWorkersWanted.aspx).

Powershell may seem a bit complicated at the beginning but as you have seen here, with few simple steps you can start to automate your most common and repetitive tasks. This will give you the basic knowledge of the language and of course, you build your expertise on it. It will take some time but it is never too early to learn !

 

More resources on Powershell : https://technet.microsoft.com/en-us/scriptcenter/powershell.aspx